Maps Having a High Branching Factor

ABSTRACT

Disclosed is a technique for providing packet filter maps with high branching factors in a system for managing network traffic in a visibility fabric. A high branching factor enables a map to branch out more than two ways. High branching factors can be realized by allowing a map to be affiliated with more than one action set. For example, each rule of the map may be affiliated with a unique action set that is executed only when the corresponding rule is satisfied.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 15/815,524, titled “Maps Having a High Branching Factor” and filed on Nov. 16, 2017, which claims the benefit of U.S. Provisional Patent Application No. 62/425,577, titled “Programmable Network Switches for Cloud Computing Architectures” and filed on Nov. 22, 2016, which are incorporated by reference herein in their entirety.

FIELD OF THE INVENTION

At least one embodiment of the present disclosure pertains to techniques for managing traffic traversing a computer network and, more particularly, to techniques for providing maps capable of handling the data packets that form the traffic.

BACKGROUND

Traffic in a computer network can be analyzed to improve real-time decision making for network operations, security techniques, etc. Traffic may be acquired at numerous points by a variety of devices/applications (collectively referred to as “nodes” in the computer network), and then forwarded to a network visibility appliance able to provide extensive visibility of traffic flow. Given the complexity and volume of traffic routed through many infrastructures, various kinds of network tools are often used to identify, analyze, or handle issues plaguing the computer network. These issues can include security threats, bottlenecks, etc. Examples of such network tools include an intrusion detection system (IDS) and an intrusion prevention system (IPS).

Network visibility appliances and network tools can operate as in-band devices (also referred to as “inline devices”) or out-of-band devices. Out-of-band devices operate outside of the path of traffic between an origination node and a destination node, and thus receive copies of the data packets that make up the traffic rather than the original data packets. Out-of-band devices can freely modify the copies of the data packets because the original data packets are allowed to traverse the computer network unimpeded. Inline devices, on the other hand, operate within the path of traffic between an origination node and a destination node, and thus receive the original data packets.

BRIEF DESCRIPTION OF THE DRAWINGS

One or more embodiments of the present invention are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements.

FIG. 1A depicts an example of a network arrangement in which a network visibility appliance receives data packets from multiple devices/applications (collectively referred to as “nodes”) in a computer network.

FIG. 1B illustrates an example path of a data packet as the data packet travels from an originating device to a recipient device.

FIG. 2 depicts an example of how a visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the public cloud infrastructure for an end user.

FIG. 3 depicts one embodiment of a visibility platform that can be run entirely within a cloud environment or a non-cloud environment (e.g., as a virtual machine).

FIG. 4 depicts an example of a series of programmable flow tables that can be used by a network visibility appliance (and, more specifically, a programmable switch) to route traffic.

FIG. 5 depicts an example of a programmable flow table for a map.

FIG. 6 depicts how the rules of a legacy map are conventionally applied sequentially.

FIG. 7 depicts how a high branching factor can be realized by allowing maps to be affiliated with more than one action set.

FIG. 8A depicts an example of a network visibility appliance that includes a map designed to split incoming traffic into multiple streams.

FIG. 8B depicts another example of a network visibility appliance that includes a map designed to split incoming traffic into multiple streams.

FIG. 9 depicts a process for implementing a map having a branching factor greater than two.

FIG. 10 is a block diagram illustrating an example of a processing system in which at least some operations described herein can be implemented.

DETAILED DESCRIPTION

A network visibility appliance can be configured to receive data packets from one or more other nodes within a computer network. The network visibility appliance will often be coupled to one or more network tools configured to analyze the data packets (or copies of the data packets), monitor the traffic within the computer network, or block the transmission of abnormal (e.g., malicious) data packets.

Network visibility appliances have traditionally managed traffic using legacy maps. A legacy map is a static data structure that represents a detailed traffic distribution policy for how incoming data packets are to be handled by a network visibility appliance.

Legacy maps serve several purposes. First, a legacy map can include a rule that indicates whether an incoming data packet is to be altered in some way. For example, the rule may indicate that a data packet is to be aggregated with another data packet, filtered, or modified (e.g., stripped of a header or payload). Second, a legacy map can include a routing instruction that indicates where an incoming data packet is to be forwarded. For example, the routing instruction may indicate that a data packet received at a specified ingress port should be forwarded to a specified egress port. Thus, legacy maps ensure that traffic matching certain criteria is properly forwarded downstream (e.g., to a network tool or another network visibility appliance).

Legacy maps suffer from several drawbacks, however. For example, with exponential growth in workloads within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, because legacy maps are static data structures, they cannot be dynamically edited. As such, legacy maps are often unsuitable for filtering traffic traversing cloud computing infrastructures that constantly change over time.

Introduced here, therefore, are maps that can be bound to source object(s) and destination object(s) upon deployment within a network visibility appliance. More specifically, a controller can associate a map with a source object and a destination object before the map is implemented (i.e., used) by the network visibility appliance. Binding may require that the controller dynamically edit an action set associated with a data structure (e.g., a programmable flow table) corresponding to the map. The data structure is accessible to the network visibility appliance, which can use the data structure to route traffic. For example, the data structure may be stored in a ternary content-addressable memory (TCAM).

Moreover, legacy maps branch out in exactly two ways. If a legacy map determines that a data packet satisfies a rule, then the legacy map can allow the data packet to pass (also referred to as an “accept action”). However, if the legacy map determines that the data packet does not satisfy the rule, then the legacy map can prevent the data packet from passing (also referred to as a “drop action”).

In contrast, the maps introduced here may have high branching factors that allow traffic traversing a visibility fabric to be readily managed. In some embodiments the network visibility appliance acts as the visibility fabric, while in other embodiments the network visibility appliance is a part of the visibility fabric. A high branching factor enables a map to branch out in more than two ways. High branching factors can be realized by allowing a map to be affiliated with more than one action set. For example, each rule of a map may be affiliated with a unique action set that is executed only when the corresponding rule is satisfied.

Terminology

Reference to “one embodiment” or “an embodiment” means that the particular feature, function, structure, or characteristic being described is included in at least one embodiment of the present disclosure. Occurrences of such phrases do not necessarily all refer to the same embodiment, nor are they necessarily referring to alternative embodiments that are mutually exclusive of one another.

The terms “connected,” “coupled,” or any variant thereof includes any connection or coupling between two or more elements, either direct or indirect. The coupling/connection can be physical, logical, or a combination thereof. For example, two devices may be physically, electrically, and/or communicatively coupled to one another.

Visibility Appliance Architecture

FIG. 1A depicts an example of a network arrangement 100 a in which a network visibility appliance 102 receives data packets from multiple devices/applications (collectively referred to as “nodes”) in a computer network 110. The nodes couple an originating device 104 (e.g., a desktop computer system) to a recipient device 108 (e.g., a server). Thus, the nodes allow data packets to be transmitted between the originating device 104 and the recipient device 108. Examples of nodes include switches (e.g., switches 106 a, 106 d), routers (e.g., routers 106 b, 106 c), network taps, etc.

Each node represents an entry point into the computer network 110. The entry points could be, and often are, from different points within the computer network 110. Generally, at least some of the nodes are operable to transmit data packets received as network traffic (or duplicate copies of the data packets) to a network visibility appliance 102 for analysis. Network traffic can be directed to the network visibility appliance 102 by a node that provides an entry point into the computer network 110.

Whether a node transmits the original data packets or copies of the original data packets to a device downstream of the node (e.g., the network visibility appliance 102) depends on whether the downstream device is an inline device or an out-of-band device. As noted above, inline devices receive the original data packets, while out-of-band devices receive copies of the original data packets.

Here, the network visibility appliance 102 can receive data packets from node 106 b (e.g., via transmission path 114 a) and pass at least some of the data packets to node 106 c (e.g., via transmission path 114 b). Because node 106 b is able to transmit network traffic downstream through the network visibility appliance 102, node 106 b need not be coupled directly to node 106 c (i.e., transmission path 114 c may not exist). Some or all of the nodes within the computer network 110 can be configured in a similar fashion.

When the network visibility appliance 102 is deployed as an inline device, data packets are received by the network visibility appliance 102 at a network port (referred to as an “ingress port”). For example, data packets transmitted by node 106 b via transmission path 114 a are received by the network visibility appliance 102 at a particular ingress port. The network visibility appliance 102 may include multiple network ports coupled to different nodes in the computer network 110. The network visibility appliance 102 can be, for example, a monitoring platform that includes a chasses and interchangeable blades offering various functionalities, such as enhanced packet distribution and masking/filtering capabilities.

The network visibility appliance 102 can also transmit data packets from a network port (referred to as an “egress port”). For example, the network visibility appliance may include multiple egress ports that are coupled to different network tools 112 a-n. Each network tool 112 a-n can be deployed as an inline device or an out-of-band device at any given point in time. When a network tool is deployed as an out-of-band device, the network visibility appliance 102 creates a duplicate copy of at least some of the data packets received by the network visibility appliance 102, and then passes the duplicate copies to an egress port for transmission downstream to the out-of-band network tool. When a network tool is deployed as an inline device, the network visibility appliance 102 passes at least some of the original data packets to an egress port for transmission downstream to the inline network tool, and those data packets are then normally received back from the tool at a separate network port of the network visibility appliance 102 (assuming the data packets are not blocked by the tool).

FIG. 1B illustrates an example path of a data packet as the data packet travels from an originating device 104 to a recipient device 108. More specifically, FIG. 1B depicts a network arrangement 100 b in which the network visibility appliance 102 and a network tool 112 a are both deployed as inline devices (i.e., within the flow of network traffic). Although the transmission paths connecting the network visibility appliance 102 and network tool 112 a are half duplex wires (i.e., only transmit information in one direction), full duplex wires capable of transmitting information in both directions could also be used for some or all of the transmission paths between nodes of the computer network 110.

After receiving a data packet from node 106 b, the network visibility appliance 102 identifies a map corresponding to the data packet based on one or more characteristics of the data packet. For example, the characteristic(s) could include the communication protocol of which the data packet is a part (e.g., HTTP, TCP, IP) or a session feature (e.g., a timestamp). Additionally or alternatively, the proper map could be identified based on the network port of the network visibility appliance 102 at which the data packet was received, the source node from which the data packet was received, etc.

As further described below, the map represents a policy for how the data packet is to be handled by the network visibility appliance 102. For example, the map could specify that the data packet is to be transmitted in a one-to-one configuration (i.e., from an ingress port of the network visibility appliance 102 to an egress port of the network visibility appliance 102), a one-to-many configuration (i.e., from an ingress port of the network visibility appliance 102 to multiple egress ports of the network visibility appliance 102), or a many-to-one configuration (i.e., from multiple ingress ports of the network visibility appliance 102 to an egress port of the network visibility appliance 102). Thus, a single egress port of the network appliance 102 could receive data packets from one or more ingress ports of the network appliance 102.

Often, the data packet is passed (e.g., by a processor of the network visibility appliance 102) to an egress port for transmission downstream to a network tool (e.g., a monitoring and/or security tool). Here, for example, the map may specify that the data packet is to be passed by the network visibility appliance 102 to a tool port for transmission downstream to network tool 112 a. The network visibility appliance 102 may aggregate or modify the data packet in accordance with the policy specified by the map before passing the data packet to the egress port for transmission downstream to the network tool 112 a. In some embodiments, the network visibility appliance 102 includes multiple egress ports, each of which is coupled to a different network tool or another network visibility appliance.

After analyzing the data packet, the network tool 112 a normally transmits the data packet back to the network visibility appliance 102 (i.e., assuming the network tool 112 a does not determine that the packet should be blocked), which passes the data packet to a network port for transmission downstream to another node (e.g., node 106 c).

FIG. 2 depicts an example of how a visibility platform 202 can be integrated into a cloud computing platform 200 to provide a coherent view of virtualized traffic in motion across the public cloud infrastructure for an end user. Many end users have begun moving work processes and data to cloud computing platforms. By installing agents 204 on some or all of the virtual machines 206 belonging to the end user, the visibility platform 202 can acquire data packets (or duplicate copies of the data packets) traversing a public cloud infrastructure for further analysis in order to improve visibility into possible security risks.

In some embodiments, the visibility platform 202 is communicatively coupled to one or more network tools 208 for analyzing the virtualized traffic. The network tool(s) 208 can be hosted locally as part of the visibility platform 202 (i.e., on the cloud computing platform 200) or remotely (e.g., within an on-premises computing environment controlled by the end user). When the visibility platform 202 is entirely virtual, the visibility platform 202 establishes a tunnel for delivering the virtualized traffic to the network tool(s) 208 regardless of where the network tool(s) 208 reside. However, when the visibility platform 202 is physical (e.g., the network visibility appliance is comprised of a physical programmable switch), the visibility platform 202 may establish a tunnel only for those network tool(s) 208 that are hosted remotely (e.g., are not directly coupled to the visibility platform 202 using physical cables).

A “tunnel” is a mechanism that can be used to reliably transmit traffic across a network. Before virtualized traffic is forwarded to the tunnel by the visibility platform 202 for transmission to the network tool(s) 208, the visibility platform 202 may create an outer jacket for the virtualized traffic (and any other network content) based on the type of tunnel. For example, an inner payload could be wrapped in an encapsulation by the visibility platform 202 in accordance with a Virtual Extensible LAN (VXLAN) protocol or a Generic Routing Encapsulation (GRE) protocol. The network tool(s) 208 can then remove the outer jacket upon reception and determine how the inner payload (i.e., the actual virtualized traffic) should be handled.

The visibility platform 202 can exist as a cloud-native virtual machine (also referred to as an “unnative virtual machine”) that analyzes virtualized traffic traversing the cloud computing platform 200. Accordingly, the visibility platform 202 may not be limited by the computer hardware responsible for supporting the cloud computing platform 200.

FIG. 3 depicts one embodiment of a visibility platform 300 that can be run entirely within a cloud environment or a non-cloud environment (e.g., as a virtual machine). Thus, the visibility platform 300 may be hosted on a cloud computing platform, run on a dedicated piece of computer hardware (e.g., a monitoring platform that includes a chassis and interchangeable blades offering various functionalities, such as enhanced packet distribution and masking/filtering capabilities), or some combination thereof. For example, the visibility platform 300 could include a network visibility appliance 304 that resides on a stand-alone personal computer, a dedicated network server, or some other computing device having an x86 instruction set architecture.

In some instances it may be desirable to run the network visibility appliance 304 as a virtual machine on a cloud computing platform (e.g., cloud computing platform 200 of FIG. 2). For example, the visibility platform 300 may exist inside of a Virtual Private Cloud (VPC) that resides within a dedicated section of an end user's virtual network within Amazon Web Services (AWS), VMware, OpenStack, etc. Such an arrangement permits the visibility platform 300 to intelligently optimize, filter, and analyze virtualized traffic across hundreds or thousands of virtual machines. Note, however, that the visibility platform 300 may also exist outside of the VPC.

The visibility platform 300 can include one or more agents 302 for mirroring virtualized traffic traversing a cloud computing platform, a network visibility appliance 304 for aggregating and filtering the virtualized traffic, one or more controllers 306, and a client 308 for managing the visibility platform 300 as a whole. Other embodiments may include a subset of these components.

As shown here, each agent 302 is fully contained within a corresponding target virtual machine 310 whose virtualized traffic is to be monitored. While the agent(s) 302 serve requests issued by the controller(s) 306, each agent 302 may be responsible for configuring its own interface mirrors, tunnels, etc.

The network visibility appliance 304 can include a programmable switch (also referred to as a “switching engine”). The programmable switch may be a physical switch or a virtual switch, such as a software-defined networking (SDN) switch. The network visibility appliance 304 is responsible for aggregating virtualized traffic mirrored by the agent(s) 302, and then forwarding at least some of the aggregated virtualized traffic to one or more network tools 312 for further analysis. In some embodiments, the network visibility appliance 304 filters (e.g., slices, masks, or samples) and/or replicates the aggregated virtualized traffic before forwarding it downstream to the network tool(s) 312.

The controller(s) 306, meanwhile, may be controllable by the end user via the client 308, which may be hosted on the cloud computing platform on in an on-premises computing environment controlled by the end user. In some embodiments a single controller 306 is configured to control the agent(s) 302 and the programmable switch 304, while in other embodiments multiple controllers 306 are configured to control the agent(s) 302 and the network visibility appliance 304. Here, for example, a first controller controls the agent(s) 302 and a second controller controls the network visibility appliance 304. However, each agent 302 could also be associated with a dedicated controller.

Together, the client 308 and the controller(s) 306 enable centralized management of the visibility platform 300 as a whole. For example, the client 308 may be configured to integrate with one or more application programming interfaces (APIs) 314 offered by the cloud computing platform in order to retrieve relevant information about the virtualized traffic being monitored (e.g., end user credentials, virtual machine addresses, virtualized traffic characteristics). In some embodiments, the client 308 supports a drag-and-drop user interface that can be used by the end user to create and implement traffic policies. Moreover, the client 308 may provide traffic policy statistics to the end user or an administrator (e.g., the manager of the visibility platform 300) for troubleshooting in real time.

By identifying the network object(s) interconnected through a visibility fabric, a traffic flow can be readily monitored regardless of whether the network visibility appliance is monitoring data packets traversing a physical device or a virtual environment. Examples of network objects include raw endpoints, tunnel endpoints, application endpoints, and maps. A network visibility appliance may include one or more raw endpoints that receive traffic direction from corresponding Network Interface Cards (NICs) or virtual Network Interface Cards (vNICs). The network visibility appliance may also include one or more tunnel endpoints that send/receive traffic to/from remote locations. Examples of remote locations include other network visibility appliances, on-premises computing environments, etc. Tunnel endpoints can be created by the network visibility appliance using APIs, and tunnel endpoints are typically associated with both a remote endpoint and a specific type (e.g., VXLAN or GRE).

The network visibility appliance may also include one or more application endpoints that send/receive packets to/from application programs (also referred to as “applications”). Applications may be responsible for creating, aggregating, filtering, and/or modifying the virtualized traffic received by the network visibility appliance. Examples of applications can include masking programs, deep packet inspection programs, net flow generation programs, etc.

The network visibility appliance can receive traffic at raw endpoints, tunnel endpoints, and application endpoints, and the network visibility appliance can output traffic at tunnel endpoints and application endpoints. Raw endpoints, therefore, can only receive incoming traffic, while tunnel endpoints and application endpoints are generally bi-directional (i.e., can receive and transmit traffic across different ingress and egress interfaces).

Raw endpoints can receive traffic directly from (v)NICs. However, tunnel endpoints are often the predominant way to route traffic away from a network visibility appliance (e.g., into an on-premises environment that includes one or more network tools). Moreover, although application endpoints route virtualized traffic into an environment managed by an application, the environment still typically resides within the network visibility appliance.

Maps Usable by Network Visibility Appliances

A network visibility appliance can be configured to filter traffic received at an ingress port. More specifically, the network visibility appliance may select traffic of interest by matching received traffic against specified criteria defined in a map. For example, traffic satisfying a first criterion can be routed to a first destination, and traffic satisfying a second criterion can be routed to a second destination. Each destination may correspond to a different egress port coupled to a network tool or another network visibility appliance.

FIG. 4 depicts an example of a series of programmable flow tables that can be used by a network visibility appliance (and, more specifically, a programmable switch) to route traffic. Each network object capable of receiving incoming traffic (i.e., each raw endpoint, tunnel endpoint, and application endpoint) can be represented by a row in Table_0. These network objects can be referred to as possible “ingress ports,” “ingress interfaces,” or “ingress points.” Table_0 is responsible for initially routing all incoming traffic to a tunnel endpoint, an application endpoint, or a map (which requires the corresponding entry list another table). In some embodiments, the network visibility appliance maintains statistics regarding how traffic is routed between the various network objects.

Each map is represented by its own table (e.g., Table_1, Table_2, Table_3, and Table_4). FIG. 5 depicts an example of a programmable flow table for a map. The number of lines in the programmable flow table (which is generally on the order of hundreds or thousands) defines how many rules are allowed in the map.

Maps represent packet filters that can be applied to data packets. A map (M) is a collection of one or more rules that is considered a “match” if any of the rules has a match.

M=R ₁ ∨R ₂ . . . ∨R _(n)

A rule (R) includes one or more rule components that must be simultaneously satisfied.

R=r ₁ ∧r ₂ ∧ . . . ∧r _(m)

A rule component (r) is a specific filtering criterion for matching packets (e.g., based on address, protocol, source port, destination port, or some other packet criteria).

As shown in FIG. 5, the programmable flow table can specify what will happen if any of the rules (e.g., R1, R2, R3, R4, or R5) result in a match. The outcome (also referred to as an “action set”) may specify, for example, that matching data packets should be dropped or routed to a specific network object (e.g., a tunnel endpoint, an application endpoint, or another map).

FIG. 5 also depicts an example of a programmable flow table that includes the action sets for a map. An action set is a group of one or more actions that are applied together. Each action set can specify one or more different actions to be performed if application of a corresponding rule results in a match. If the action set is an empty set or a null set (i.e., does not include an affiliated action), then the network visibility appliance treats the action set as a conclusive drop rule. Accordingly, all matching data packets are dropped by the network visibility appliance.

The action set may list a data structure entry corresponding to a tunnel endpoint or an application endpoint. Here, for example, ActionSet_4 lists A1 (which corresponds to an application endpoint). In such instances, the network visibility appliance directs matching data packets to the specified network object, which causes the matching data packets to once again be governed by Table_0. The action set may also specify that matching data packets should be forwarded to another table corresponding to another map. Here, for example, ActionSet_3 causes traffic to be forwarded to Table_3, which represents another map. Traffic can be replicated as necessary when a data entry is associated with more than one other data entries (e.g., when the action set specifies multiple destinations).

Multiple rules may be associated with a single action set. Here, for example, rule one (R1) and rule two (R2) are affiliated with ActionSet_0, while rule three (R3), rule four (R4), and rule five (R5) are affiliated with ActionSet_2. Generally, these links to action sets are fixed once the map has been constructed and programmed into the network visibility appliance. However, because each map is assigned to its own table, an end user may be able to easily add, remove, or modify maps by adding new tables, removing existing tables, or modifying entries in existing tables.

In some embodiments, each rule is assigned a specific priority. Priorities can range from 0-99, where a larger number denotes a higher priority. Higher priority rules can then be evaluated before lower priority rules. In some embodiments no specific execution order may be guaranteed for rules having the same priority, while in other embodiments rules having the same priority are executed in the order in which they reside in the programmable flow table.

The associations described above between the various programmable flow tables are generally simple, passive links. However, the links could be made more intelligent. For example, the network visibility appliance may add quality of service (QoS) policies to certain links, stamp incoming data packets with particular metadata (e.g., a timestamp or unique identifier), modify the Internet Protocol (IP) addresses of outgoing data packets, etc.

Note that the same techniques could be implemented using a single table that is partitioned into multiple (logical) zones. For example, a first group of rows may be allocated to the network objects capable of receiving incoming traffic, a second group of rows may be allocated to a first map, and a third group of rows may be allocated to a second map.

The programmable flow tables shown in FIGS. 4-5 may be programmed (e.g., by a network visibility appliance, client, or controller) using a graph. For example, the programmable flow tables may be automatically populated responsive to determining that a graph depicting the network objects as nodes has been finalized by the end user. Links between pairs of network objects can be illustrated as connections between pairs of nodes in the graph. In some embodiments, the programmable flow tables are made accessible (i.e., exposed) to a controller that is able to dynamically add, delete, and/or modify entries in real time as the graph is altered by the end user.

As shown in FIG. 6, the rules of a legacy map are conventionally applied sequentially. However, such a technique causes significant delays and consumes significant processing resources when the number of entries in a data structure (e.g., a programmable flow table) representing the map exceeds a certain number (e.g., a few hundred or thousand entries).

Virtual implementation of a physical decision tree can create several different issues. For example, in order to construct an “n”-way decision tree (where n is an integer), many different maps would need to be nested together. But this also becomes a very resource-intensive operation because each branch only splits the decision one of two ways. That is, each branch only permits the outcome to be a pass action or a drop action.

The maps introduced here can address this issue by having high branching factors. A high branching factor allows a map to branch out more than two ways. Increasing the fan-out from a map can result in a much improved application time.

As shown in FIG. 7, a high branching factor can be realized by allowing maps to be affiliated with more than one action set. For example, each rule may be affiliated with a particular action set that is executed only when the corresponding rule is considered a match. Thus, the branching factor (f) dictates how quickly a programmable switch can descend through the total number of rules of a map (n).

Map Descent Rate=log_(f)(n)

For example, a programmable switch can evaluate 4,096 rules in two levels of a tree having a branching factor of 64. Note, however, that any number of paths could extend out of a given map (e.g., 10, 20, or 60).

One benefit of utilizing a cloud computing infrastructure is that a high number of nodes (e.g., network visibility appliances) may exist. Even though no single node may have much processing power, a map having a high number of rule entries can be intelligently distributed across multiple nodes, thereby taking advantage of the increased processing power. For example, a single node might only have 4 or 8 central processing units (CPUs), but the map may be distributed across 500 nodes that yield much greater collective processing capabilities.

FIG. 8A depicts an example of a network visibility appliance 802 a that includes a map 806 a designed to split incoming traffic into multiple streams. After receiving data packets at an ingress port 804 a, the network visibility appliance 802 a can filter the data packets using the map 806 a. Here, the map 806 a includes two filtering criteria (i.e., Criterion A and Criterion B). Thus, data packets satisfying Criterion A will be filtered into one stream, and data packets satisfying Criterion B will be filtered into another stream. As noted above, data packets that do not satisfy either of the filtering criteria will be dropped. Filtering criteria may be associated with data packet characteristics, such as the communication protocol of which the data packet is a part (e.g., HTTP, TCP, UDP, IPv4), a session feature (e.g., a timestamp), the ingress port at which the data packet was received, the source node from which the data packet was received, etc.

The map 806 a can also specify how data packets satisfying each filtering criterion should be handled. Here, data packets satisfying Criterion A are forwarded to egress port 808 a, while data packets satisfying Criterion B are forwarded to egress port 810 a. Because each filtering criterion can be associated with a separate action set, the network visibility appliance 802 a can filter incoming traffic using a single map rather than a series of nested legacy maps. The egress ports 808 a, 810 a can be coupled to a network tool or another network visibility appliance.

FIG. 8B depicts another example of a network visibility appliance 802 b that includes a map 806 b designed to split incoming traffic into multiple streams. After receiving data packets at an ingress port 804 b, the network visibility appliance 802 b can filter the data packets using the map 806 b. Much like the map 806 a of FIG. 8A, the map 806 b of FIG. 8B includes two filtering criteria (i.e., Criterion A and Criterion B). Here, however, data packets satisfying Criterion A and data packets satisfying Criterion B are both forwarded to egress port 808 b. Such a design can be useful in several scenarios.

For example, the network visibility appliance 802 b may generate statistics on data packet matches (i.e., pass actions) even though all of the traffic may be forwarded to the egress port 808 b. More specifically, the administrator may use map(s) to learn about the spread of traffic with respect to certain data packet characteristic(s). For instance, the map 806 b shown here may specify the distribution of traffic between Criterion A (e.g., TCP traffic) and Criterion B (e.g., UDP traffic). Because the map 806 b can be associated with any number of rules and action sets, detailed statistics can be generated. For example, a map could filter incoming traffic into four, six, or eight different streams.

As another example, an administrator may design the network visibility appliance 802 b such that data packets matching different criteria are treated different. For instance, the network visibility appliance 802 b may be configured to drop 20% of the data packets satisfying Criterion A and drop 50% of the data packets satisfying Criterion B. Such action may be useful in limiting bandwidth consumption, reducing network tool congestion, etc.

Some embodiments of the network visibility appliance include multiple ingress ports, each of which can be associated with a separate map. These maps may specify that the data packets received at the multiple ingress ports should be forwarded to a single egress port or multiple egress ports. Thus, maps can allow data packets matching a certain filtering criterion to be transmitted in a one-to-one configuration (i.e., from an ingress port of the network visibility appliance to an egress port of the network visibility appliance), a one-to-many configuration (i.e., from an ingress port of the network visibility appliance to multiple egress ports of the network visibility appliance), or a many-to-one configuration (i.e., from multiple ingress ports of the network visibility appliance to an egress port of the network visibility appliance).

FIG. 9 depicts a process 900 for implementing a map having a branching factor greater than two. A map accessible to multiple network objects through a network fabric can initially be identified (step 901). Generally, the plurality of network objects will include raw endpoint(s), tunnel endpoint(s), and/or application endpoint(s).

The map includes a collection of one or more rules that are applied to data packets received by the map. Each rule can be associated with an action set that is to be executed only when a corresponding rule is considered a match (step 902). A rule is considered a match when a data packet satisfies a corresponding filtering criterion. Generally, each action set includes at least one of a pass action that causes data packets satisfying the filtering criterion to be forwarded downstream to a network object or a drop action that causes data packets that do not satisfy the filtering criterion to be dropped.

A priority value may also be assigned to each rule in the map (step 903). Action sets corresponding to higher priority rules are executed before action sets corresponding to lower priority rules. Action sets corresponding to rules having identical priority values can be executed based on the order of the rules within a data structure (e.g., a programmable flow table).

Because each rule is associated with a separately-actionable action set and a priority value, the entire map (i.e., all rules) can be concurrently applied to an incoming data packet (step 904). Accordingly, a programmable switch could simultaneously apply multiple rules rather than sequentially apply individual rules as would conventionally occur. While each rule in the map is typically associated with a distinct action set, it may be useful for some rules to share a common action set. For example, data packets satisfying two different filtering criteria may be handled the same way.

Unless contrary to physical possibility, it is envisioned that the steps may be performed in various sequences and combinations. For example, the steps of the process could be executed by a network visibility appliance or a controller/client communicatively coupled to the network visibility appliance. Other steps could also be included in some embodiments.

Processing System

FIG. 10 is a block diagram illustrating an example of a processing system 1000 in which at least some operations described herein can be implemented. For example, the processing system 1000 may be responsible for generating an interface through which an end user modifies the visibility fabric including one or more visibility platforms, interacts with a graph representing the visibility fabric, etc. As another example, at least a portion of the processing system 1000 may be included in a computing device (e.g., a server) that supports a cloud computing platform. The process system 1000 may include one or more processors 1002, main memory 1006, non-volatile memory 1010, network adapter 1012 (e.g., network interfaces), display 1018, input/output devices 1020, control device 1022 (e.g., keyboard and pointing devices), drive unit 1024 including a storage medium 1026, and signal generation device 1030 that are communicatively connected to a bus 1016. The bus 1016 is illustrated as an abstraction that represents any one or more separate physical buses, point to point connections, or both connected by appropriate bridges, adapters, or controllers. The bus 1016, therefore, can include, for example, a system bus, a Peripheral Component Interconnect (PCI) bus or PCI-Express bus, a HyperTransport or industry standard architecture (ISA) bus, a small computer system interface (SCSI) bus, a universal serial bus (USB), IIC (I2C) bus, or an Institute of Electrical and Electronics Engineers (IEEE) standard 1394 bus, also called “Firewire.” A bus may also be responsible for relaying data packets (e.g., via full or half duplex wires) between components of a network appliance, such as a switching engine, network port(s), tool port(s), etc.

In various embodiments, the processing system 1000 operates as a standalone device, although the processing system 1000 may be connected (e.g., wired or wirelessly) to other devices. For example, the processing system 1000 may include a terminal that is coupled directly to a network appliance. As another example, the processing system 1000 may be wirelessly coupled to the network appliance.

In various embodiments, the processing system 1000 may be a server computer, a client computer, a personal computer (PC), a user device, a tablet PC, a laptop computer, a personal digital assistant (PDA), a cellular telephone, an iPhone, an iPad, a Blackberry, a processor, a telephone, a web appliance, a network router, switch or bridge, a console, a hand-held console, a (hand-held) gaming device, a music player, any portable, mobile, hand-held device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by the processing system 1000.

While the main memory 1006, non-volatile memory 1010, and storage medium 1026 (also called a “machine-readable medium) are shown to be a single medium, the term “machine-readable medium” and “storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store one or more sets of instructions 1028. The term “machine-readable medium” and “storage medium” shall also be taken to include any medium that is capable of storing, encoding, or carrying a set of instructions for execution by the processing system 1000 and that cause the processing system 1000 to perform any one or more of the methodologies of the presently disclosed embodiments.

In general, the routines that are executed to implement the technology may be implemented as part of an operating system or a specific application, component, program, object, module, or sequence of instructions (collectively referred to as “computer programs”). The computer programs typically comprise one or more instructions (e.g., instructions 1004, 1008, 1028) set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processing units or processors 1002, cause the processing system 1000 to perform operations to execute elements involving the various aspects of the disclosure.

Moreover, while embodiments have been described in the context of fully functioning computers and computer systems, those skilled in the art will appreciate that the various embodiments are capable of being distributed as a program product in a variety of forms, and that the disclosure applies equally regardless of the particular type of machine or computer-readable media used to actually effect the distribution.

Further examples of machine-readable storage media, machine-readable media, or computer-readable (storage) media include recordable type media such as volatile and non-volatile memory devices 1010, floppy and other removable disks, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks (DVDs)), and transmission type media such as digital and analog communication links.

The network adapter 1012 enables the processing system 1000 to mediate data in a network 1014 with an entity that is external to the processing system 1000, such as a network appliance, through any known and/or convenient communications protocol supported by the processing system 1000 and the external entity. The network adapter 1012 can include one or more of a network adaptor card, a wireless network interface card, a router, an access point, a wireless router, a switch, a multilayer switch, a protocol converter, a gateway, a bridge, bridge router, a hub, a digital media receiver, and/or a repeater.

The network adapter 1012 can include a firewall which can, in some embodiments, govern and/or manage permission to access/proxy data in a computer network, and track varying levels of trust between different machines and/or applications. The firewall can be any number of modules having any combination of hardware and/or software components able to enforce a predetermined set of access rights between a particular set of machines and applications, machines and machines, and/or applications and applications, for example, to regulate the flow of traffic and resource sharing between these varying entities. The firewall may additionally manage and/or have access to an access control list which details permissions including for example, the access and operation rights of an object by an individual, a machine, and/or an application, and the circumstances under which the permission rights stand.

Other network security functions can be performed or included in the functions of the firewall, including intrusion prevention, intrusion detection, next-generation firewall, personal firewall, etc.

As indicated above, the techniques introduced here implemented by, for example, programmable circuitry (e.g., one or more microprocessors), programmed with software and/or firmware, entirely in special-purpose hardwired (i.e., non-programmable) circuitry, or in a combination or such forms. Special-purpose circuitry can be in the form of, for example, one or more application-specific integrated circuits (ASICs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), etc.

Note that any of the embodiments described above can be combined with another embodiment, except to the extent that it may be stated otherwise above or to the extent that any such embodiments might be mutually exclusive in function and/or structure.

Although the present invention has been described with reference to specific exemplary embodiments, it will be recognized that the invention is not limited to the embodiments described, but can be practiced with modification and alteration within the spirit and scope of the appended claims. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than a restrictive sense. 

What is claimed is:
 1. A method comprising: identifying a map that includes a plurality of rules for handling data packets; associating each rule of the plurality of rules with an action set, wherein each action set is to be executed when a corresponding rule is considered a match, and wherein the corresponding rule is considered a match when a corresponding criterion is satisfied by a data packet; and causing the map to be implemented by a network visibility appliance to which a traffic stream is directed for analysis, wherein the map is implemented such that all rules of the plurality of rules are applied to each data packet included in the traffic stream.
 2. The method of claim 1, wherein each action set includes at least one of a pass action that causes data packets that satisfy the corresponding criterion to be forwarded downstream to a network object, or a drop action that causes data packets that do not satisfy the corresponding criterion to be dropped.
 3. The method of claim 1, wherein at least two rules of the plurality of rules share an action set in common.
 4. The method of claim 1, further comprising: assigning a priority value to each rule of the plurality of rules.
 5. The method of claim 4, wherein action sets corresponding to higher priority rules are to be executed before action sets corresponding to lower priority rules.
 6. The method of claim 4, wherein action sets corresponding to rules having identical priority values are to be executed based on an order of the rules within a data structure that is representative of the map.
 7. The method of claim 1, wherein said identifying, said associating, and said causing are performed by a controller that is communicatively connected to the network visibility appliance.
 8. A programmable switch comprising: an ingress port at which to receive a data packet transmitted by an agent that is hosted on a virtual machine; and a processor configured to: identify a map to be applied to the data packet, wherein the map includes a plurality of rules, each rule being associated with a respective entry in a data structure that specifies (i) a criterion and (ii) an action set that is to be executed when the criterion is satisfied; apply the plurality of rules to the data packet to identify at least one matching rule; and executing at least one action set corresponding to the at least one matching rule.
 9. The programmable switch of claim 8, wherein each entry further specifies (iii) a priority value assigned to the corresponding rule.
 10. The programmable switch of claim 9, wherein the at least one action set is executed in order of priority.
 11. The programmable switch of claim 8, wherein the data packet is included in a stream of data packets indicative of traffic handled by a cloud computing platform of which the virtual machine is a part.
 12. The programmable switch of claim 8, further comprising: a ternary content-addressable memory (TCAM) in which the data structure is stored.
 13. The programmable switch of claim 12, wherein the data structure is a programmable flow table.
 14. A method comprising: identifying a plurality of network objects that are interconnected through a network visibility appliance to which data packets are to be routed for analysis; associating each network object of the plurality of network objects with an action set; constructing a data structure that is representative of the network visibility appliance by— creating a separate entry for each network object of the plurality of network objects, and establishing an association between a pair of entries for each traffic flow between a pair of network objects of the plurality of network objects, wherein each action set includes at least one of a pass action that is represented in the data structure as an established association, or a drop action that is represented in the data structure as a lack of established associations; and storing the data structure in a memory that is accessible to the network visibility appliance.
 15. The method of claim 14, further comprising: acquiring, from a public cloud infrastructure, the data packets that are indicative of traffic associated with a given user; and routing the data packets through the plurality of network objects based on the data structure.
 16. The method of claim 15, wherein the given user is one of a plurality of users that are able to access the public cloud infrastructure.
 17. The method of claim 15, further comprising: forwarding at least some of the data packets that were not dropped by the plurality of network objects to the public cloud infrastructure.
 18. The method of claim 14, further comprising: causing a graph that visually represents the network visibility appliance to be presented on a display of a computing device; and enabling an individual to specify a modification to the network visibility appliance by modifying the graph.
 19. The method of claim 14, wherein the data packets are replicated when leaving a network object that corresponds to an entry that has more than one established association.
 20. The method of claim 14, wherein the plurality of network objects includes at least one of a raw endpoint, a tunnel endpoint, an application endpoint, or a map, and wherein each raw endpoint, if any, receives traffic from a Network Interface Card (NIC) of the network visibility appliance, each tunnel endpoint, if any, receives traffic from, or sends traffic to, an environment outside of the network visibility appliance, each application endpoint, if any, receives traffic from, or sends traffic to, an application program, and each map, if any, includes at least one rule for managing traffic. 